Fake Websites and Fake Users: The Perfect Recipe for Ad Fraud

We recently sat down with Dr. Augustine Fou, a recognized thought leader in digital strategy, integrated marketing and ad fraud research. In part one of our two-part interview, Dr. Fou shares his experiences with ad fraud, the bots behind it and how bad actors take money away from good publishers and advertisers.

Explain some of the basics of ad fraud. How does it happen? How do the fraudsters steal ad revenue?

As media buying and selling has become more automated, the bad guys have also been automating their processes for committing ad fraud. Two ingredients are necessary for ad fraud to occur: fake websites and fake users. Fake websites are sites that have no content but carry a lot of ads. For an ad to be served on a fake website, users need to visit the page. However, real users only visit websites because they want to browse content. To solve for this, fake website developers manufacture fake users, or bots, to cause the page and the ad to load.

Developers can script bots to do certain tasks repetitively—hit a web page, fake a mouse movement, fake page scrolling, click on parts of a site. These bots repeatedly load web pages, generate tens of millions of ad impressions, and create an image for advertisers that their site reaches thousands of users each day.

In the past, there were only a few well-known sites that buyers would work with and, in turn, they knew where their ads were going. Now that there are tens of millions of these long-tail websites across multiple ad exchanges, it’s difficult to track down the fraudsters because no one is checking out these sites until there’s a problem. That’s how bad guys continue getting away with stealing ad dollars.

How is the industry trying to detect this type of fraudulent activity?

The IAB has a bot list, and while it’s possible to detect named bots, it becomes more difficult to detect malicious bots. There are technology companies that try to detect them, but technologies have limitations. They usually catch the most obvious bots that immediately identify themselves and say their name honestly, like search engine bots. The bad guys disguise their bots. They are not honest about who they are and use nondescript labels such as “Internet Explorer,” “Safari” or “Chrome,” so you need other ways to detect them.

What are some key characteristics of the traffic generated by bots? What should a publisher do when bot traffic comes to their site?

If you see visitors coming from a data center—such as Amazon Web Services, Level 3, Soft Layer or Akamai—it’s safe to say it is not human activity because humans don’t access the Internet through data centers. These bots are created in data centers and programmed to hit websites. Publishers can add some filters to their web serving process to help them protect advertiser investments. We don’t want to block bot traffic completely because we need the page to load for certain bots (such as search engine crawlers) to do their jobs. But filters allow bot traffic to come to the site, let the page serve, but then take the additional step of not serving the ad to bots.

How could an advertiser accidentally target a fraudulent bot?

A bot visits a site and collects a cookie. It’s that easy. The bots use this process called “cookie collecting” to make them look like they are really users who are interested in content on legitimate sites, and when they move to the other—possibly illegitimate—sites in that ad network, the advertiser will retarget their ad to that fraud bot.

You can program a bot to visit a list of 100 sites and they will go visit all 100. Fraud bots are gaming the system because they can easily visit 100 sites in a few minutes, and during that process bots can take on many characteristics, even seasonality. It’s easy to program a million bots to create a cookie profile that looks like an appealing audience. The bot maker knows what characteristics will make the bots attractive to advertisers, especially those trying to get ads in front of certain audiences. For example, the bot maker can tell the bots to go look at backpacks, lunchboxes and school uniforms all within an August timeframe to look like a back-to-school shopper and attract advertisers who are willing to pay extra money to reach this type of user. Advertisers think they’re targeting real users interested in back-to-school products, stealing revenue away from good advertisers and publishers.

How does this process harm good publishers and advertisers?

This is just one of the ways that bots are becoming more efficient to make more money and siphon ad revenue away from good publishers like those who are a part of AAM. The bot collects a cookie from a good publisher but then goes to a fraudulent site and causes an ad impression to load. When that happens then those illegitimate sites earn the advertiser’s money and the good publisher does not. In turn, the advertiser thinks they’re getting an ad in front of an ideal user and potential consumer. Unfortunately, that user is not a human so the advertiser paid extra for an audience that’s never going to result in a sale. That’s how the bots get in the middle of the media buying and selling process. They’re ripping off good publishers and advertisers.

In part two of our interview, Dr. Fou will share tips for identifying legitimate publishers and how the industry can help expose the bad actors who take money away from good publishers and advertisers.